Hello Georg
I just tried this and it didn't work still legacy pages as before. I am accessing the router through the g0/0 port not the management port. However I have tried both and they still give me that old WebGUI
... View more

Hello
I am tryig to use the webUI on a 4331 Series router and I have setup the ip http server and ip http secure-server I also have the correct credentials. I access a webUI but it is not what i was expecting I am looking for this UI https://www.cisco.com/c/en/us/td/docs/routers/access/4400/software/configuration/guide/isr4400swcfg/bm_isr_4400_sw_config_guide_chapter_011.html#task_AEE38B2E6B5A4971AFB1C06BA8382695
Please see attached image to see what i am seeing
MN4331R1 uptime is 3 days, 18 hours, 31 minutes
Uptime for this control processor is 3 days, 18 hours, 33 minutes
System returned to ROM by reload
System image file is "bootflash:isr4300-universalk9.03.13.10.S.154-3.S10-ext.SPA.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
I want to monitor apps and resources. How do I access this GUI?
Thank you
Joseph
... View more

Sorry for wrong placement of reply Hello I know this is an old thread but I have the same router and cannot get this to work. There is a bug for this but can you tell me what IOS XE you are running? Thank you Joseph
... View more

Hello Deepak I came across this post becasue the question is the same as the problem I am having. However I am not clear on the clients that connect to the switch. For example. I do understand that you need to ad the ip dhcp snooping trust on the ports that the DHCP server connects. However if I use just VLAN 1 and I do not add the same command under each port that a client is connecting to I get no address. Can you elaborate on this for me please. I do get an IP if I add the ip dhcp snooping trust under each client port however this is strange to do. Thank you Joseph
... View more

Ok Tried it and it failed until I addedd this line match protocol secure-http It still makes it to the page but will not play the videos. Added this MGR2911#sh class-map YOUTUBE Class Map match-any YOUTUBE (id 3) Match protocol http host "*youtube.com*" Match protocol secure-http Match protocol youtube Match protocol http host "*googlevideo.com*"
Works great!
... View more

Hello Francesco,
Thank you very much. I do have an update. I was doing more troubleshooting by moving the service policy from different interfaces to see the results. I am using the ability to access youtube on mobile devices and PC's and Laptops. Below are my findings.
Under this Subinterface this is the results
interface GigabitEthernet0/1.1
description VLAN 2 WIFI
encapsulation dot1Q 2
ip address 172.16.100.254 255.255.255.0
ip access-group 110 in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
service-policy output BOCK-P2P
1. Will Block PC and Mobile devices browser only
Will not block YouTube App.
2. You need to block these domains. I added them to an OpenDNS
account that I own and nothing at all came through.
youtube.com
googlevideo.com
ytimg.l.google.com
youtube.l.google.com
ytimg.com
youtu.be
l.google.com
s.ytimg.com
3. There is no option to match protocol for these.However
you would think that the match protocol youtube would do the
trick. Not so....
4. Adding the following has no affect on the app
match protocol http url "youtube.l.google.com"
match protocol http url "googlevideo.com"
match protocol http url "ytimg.l.google.com"
match protocol http url "ytimg.com"
match protocol http url "s.ytimg.com"
match protocol http url "youtu.be"
match protocol http url "l.google.com"
So I would say that this does NOT work on subinterfaces well.
Under the Main Interface this is what I find
interface GigabitEthernet0/1
description MAIN_LAN
ip address 10.10.111.254 255.255.255.0
ip access-group 125 in
ip nbar protocol-discovery ipv4
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
service-policy output BOCK-P2P
1. It will block both PC and App with the app visibly
on the tablet but will not play videos. The videos just spins and timesout.
2. I still believe that these need to blocked too
for complete blockage. However there is no way that I
know of without content filtering DNS
youtube.com
googlevideo.com
ytimg.l.google.com
youtube.l.google.com
ytimg.com
youtu.be
l.google.com
s.ytimg.com
So yes and no that is works on subinterface for this model. However that would be awesome if you could find something on the Documents that say something about this model. 2911
Thank you
Joseph
... View more

Hi Francesco
I tried to remove the service policy from the WAN and place it just on the subinterface and all my mobile devices can access youtube and facebook. I have samsung devices.
When I put the policy on the Main Lan interface it stops the mobile devices and the PC's.
I was searching today a bit an saw a few posts that say NBAR doesn't work on VLAN and Subinterface.
https://learningnetwork.cisco.com/thread/57835 read a ways down
Also ran into this today when experimenting
MGR2911(config)#int g0/1
MGR2911(config-if)#ip nba
MGR2911(config-if)#ip nbar pro
MGR2911(config-if)#ip nbar protocol-discovery ipv4
MGR2911(config-if)#ip nba
MGR2911(config-if)#ip nbar pro
MGR2911(config-if)#ip nbar protocol-discovery ipv6
MGR2911(config-if)#serv
MGR2911(config-if)#service-p
MGR2911(config-if)#service-policy out
MGR2911(config-if)#service-policy output BOCK-P2P
Attaching service policy to main and sub-interface or tunnel and sub-interface in the same direction concurrently is not allowed
See error notes on last line
ICMP will most likely work but in production it doesn't
Not sure if NBAR does work on Subs. I cannot find a dininitive answer.
Thank you
Joseph
... View more